IBM Support

QRadar: Invalid Session Authentication Failed



The customer was receiving an abundance of Invalid Session Authentication Failed (SIM User Authentication) failures.


A lot of Invalid Session Authentication Failed events from SIM Audit-2 would be seen in Log Activity


These messages are related to browser trying to access an expired session token.

Diagnosing The Problem

Look in the /var/log/audit/audit.log file to see if you can determine which IP it's coming from.

Resolving The Problem

Restart tomcat by running the following command on the console command prompt:

service tomcat restart

Alternatively from the QRadar web user interface, Click Admin Tab > Advanced > Restart Web Server

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018